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Abstract 

Adding  ML-style  references  to  a  Hindley-Milner  polymorphic  type  system  is  troublesome  because  such 
a  system  is  unsound  with  naive  polymorphic  generalization  of  reference  types.  Tofte  [12]  introduced  a 
distinction  between  imperative  and  applicative  type  variables,  such  that  applicative  type  variables  are  never 
in  reference  types,  that  provides  a  simple  static  analysis  of  which  type  variables  may  be  polymorphically 
generalized.  MacQueen’s  [7]  weak  type  variables  generalize  imperative  type  variables  with  a  counter  called 
a  strength.  The  finer  distinction  allows  a  more  accurate  analysis  of  when  a  reference  may  be  created,  and 
thus  which  type  variables  may  be  generalized. 

Unfortunately,  weak  polymorphism  has  been  presented  only  as  part  of  the  implementation  of  the  SML/NJ 
compiler,  not  as  a  formal  type  system.  As  a  result,  it  is  not  well  understood,  as  its  more  subtle  points  are  not 
well  known.  Furthermore,  while  versions  of  the  implementation  have  repeatedly  been  shown  unsound,  the 
concept  has  not  been  proven  sound  or  unsound.  We  present  several  formal  systems  of  weak  polymorphism, 
show  their  connection  to  the  SML/NJ  implementation,  and  show  the  soundness  of  most  of  these  systems. 
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1.  Background 


A  reference  cell  is  an  assignable  memory  location  and  is  a  primary  imperative  feature  of  Standard  ML  of 
New  Jersey  (SML/NJ).  The  language  is  unsound  if  reference  types  are  polymorphically  generalized  in  the 
usual  manner  of  Hindley-Milner  type  system.  For  example,  a  list  of  integers  could  be  stored  in  the  cell,  and 
a  list  of  booleans  read  from  it,  as  in  the  expression 

let  val  a  =  ref  nil  in  a  :=  [1];  not  (hd(!a))  end 

While  it  is  unsound  to  polymorphically  generalize  types  of  the  form  a  ref,  generalizing  function  types 
involving  references  is  not  necessarily  so.  A  simple  example  is 

let  val  ref’  =  fn  x  =>  ref  x  in  (ref*  l.ref’  true)  end 


A  number  of  type  systems  have  been  proposed  to  allow  code  such  as  this  while  preserving  soundness  [1,  4, 
6,  10,  11,  13].  Of  particular  interest  for  this  paper  are  those  of  Tofte  [12]  and  MacQueen  [7]. 


In  the  standard  Hindley-Milner  type  system,  generalization  is  allowed ^on  all  free  type  variables  not 
occurring  in  the  ( variable )  type  assumption ,  a  mapping  from  variables  to  type  schemes.  However,  with 
references,  it  is  also  necessary  to  have  a  location  type  assumption,  assigning  a  type  to  each  location  of  the 
store  [12].  The  unsoundness  of  the  naive  static  semantics  is  a  result  of  generalizing  type  variables  occurring 
free  in  the  location  type  assumption  [12].  Since  neither  the  store  nor  the  location  type  assumption  can  be 
known  statically,  a  safe  approximation  must  be  made  to  determine  those  type  variables  which  may  occur  in 
the  location  type  assumption  and  therefore  should  not  be  generalized  [12]. 


In  order  to  provide  such  a  safe  approximation,  Tofte  introduces  a  distinction  between  two  classes  of  type 
variables,  called  applicative  and  imperative.  Imperative  type  variables  are  used  to  statically  track  values  that 
may  be  placed  in  reference  cells.  Applicative  type  variables  are  not  used  with  reference  types  and  can  always 
be  polymorphically  generalized.  Additionally,  imperative  type  variables  can  be  generalized  if  the  evaluation 
of  the  /eZ-bound  expression  does  not  lead  to  creation  of  a  reference  cell.  Since  this  is  undecidable.  Tofte 
defines  an  expression  to  be  non-expansive  if  it  is  syntactically  a  value  other  than  a  reference  cell.  The  second 
example  above  is  then  type  correct.  Since  functions  are  non-expansive,  the  local  type  assumption  maps  ref  ’ 
to  the  type  scheme  V  u.u  ->  u  ref,  where  u  is  imperative,  which  instantiates  to  both  int  ->  int  ref 
and  bool  ->  bool  ref.  The  first  example  is  still  rejected  as  desired  since  the  expression  ref  true  is  not 
non-expansive,  and  its  type  is  not  generalized.  ,  - 


However,  this  static  analysis  is  overly  conservative.  In  the  example 

let  val  ref2  -  fn  x  =>  fn  y  =>  ref  x 
in 


let  val  refl  =  ref 2  nil 
in 

(true  ::  !(refl  ()),1 

end 


' (refl  ())) 
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the  type  of  refl  is  not  generalized  because  application  expressions  are  considered  expansive.  Since  there  is 
no  generalization,  the  expression  does  not  have  a  type  since  refl  cannot  be  of  type  unit  ->  bool  ref  and 
unit  ->  int  ref.  However,  it  is  sound  to  allow  such  code  since  a  different  reference  cell  is  created  for  each 
call. 


One  method  to  improve  upon  Tofte ’s  system  is  to  track  not  only  which  values  may  be  placed  in  reference 
cells,  but  when  the  cells  are  created.  This  additional  information  can  then  be  used  for  a  more  accurate 
definition  of  non-expansiveness.  This  is  the  essence  of  MacQueen 's  weak  polymorphic  types 
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2.  Weak  Polymorphic  Types 


Weak  polymorphism  expands  on  Tofte's  distinction  of  type  variables.  To  produce  a  better  static  analysis  of 
what  values  may  be  in  reference  cells,  type  variables  are  indexed  by  an  integer,  known  equivalently  as  its 
strength  or  weakness.  A  strength  s  of  a  type  variable  in  the  type  of  an  expression  indicates  that  during  t  he 
evaluation  of  the  expression  supplied  with  less  than  s  arguments,  no  cell  is  created  of  a  type  involving  that 
type  variable.  Applicative  type  variables  correspond  to  those  of  infinite  strength,  whereas  those  of  finite 
strength  are  weakly  polymorphic.  In  particular,  a  type  variable  with  strength  of  zero  corresponds  to  the 
possible  creation  of  a  cell  with  a  type  involving  that  type  variable  during  the  evaluation  of  the  expression. 

Non-cntical  type  variables,  those  of  positive  strength,  are  generalized,  but  critical  variables  are  not. 
Thus  the  improvement  over  Tofte’s  system  stems  from  being  able  to  generalize  some  imperative  or  weak 
variables.  This  is  similar  to  Tofte’s  non-expansive  condition  for  allowing  generalization.  A  more  in-depth 
comparison  of  the  two  related  systems  in  found  in  Section  7. 

Using  such  motivation,  we  can  develop  the  basic  ideas  of  weak  types.  Since  a  reference  cell  must  have  a 
critical  type, 

% 

ref  nil  :  ’Oa  list  ref 

and  purely  functional  terms  have  types  of  infinite  strength.1 
fn  x  =>  x  :  ’a  ->  ’a 

Abstraction  increments  strengths,  since  they  count  the  number  of  applications  until  a  reference  is  created. 

in  x  =>  rai  nil  :  ’b  ->  ’la  rei 
fn  x  =>  ref  x  :  ’la  ->  ’la  ref 

Similarly,  application  decrements  the  strengths  in  the  function  position. 

(fn  x  =>  ref  x)  nil  :  ’Oa  list  ref 

If  the  argument  of  an  application  has  a  weak  type,  the  analysis  must  make  a  conservative  approximation. 
In  general,  the  function  may  in  turn  apply  its  argument  to  multiple  arguments,  where  each  application 
corresponds  to  a  decrement  in  strengths.  Statically,  the  conservative  assumption  is  made  that  enough 
applications  are  performed  for  a  reference  ceil  to  be  produced.  For  example,  the  strength  of  ’a  in 

(fn  x  =>  fn  y  =>  ref  x)  :  '2a  ->  ’b  ->  '2a  ref 

must  be  made  critical  when  the  expression  is  used  as  an  argument  in 

(fn  f  =>  f  nil  nil)  (fn  x  =>  fn  y  =>  ref  x)  :  'Oa  list  ref 

Following  the  previous  examples,  the  following  code  would  be  assigned  a  type  with  negative  strength 

((fn  f  =>  f  nil)  (fn  x  =>  fn  y  =>  ref  x))  nil  :  ’"la  list  ref 

since  the  application  to  nil  decrements  the  already  critical  strengths  of  the  function.  SML/NJ  avoids 
negative  strengths  at  the  top-level  in  most  cases.  But  in  Version  0.66,  which  follows  this  motivation  closely, 

(xet  val  7  -  ref  (fn  z  =>  z)  in  fn  y  =>  x  end)  ()  :  (’"la  ->  ’"la)  ref 

Intuitively,  the  let  expression  has  type  unit  ->  ('Oa  ->  ’Oa)  ref  since  a  reference  is  created,  and  the 
application  decrements  the  strengths  one  more.  More  commonly,  negative  strengths  are  only  used  when 
type  checking  sub-expressions  of  the  original  expression  as  in 

1  In  SML/NJ,  infinite  strengths  are  not  printed 
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ref  (In  z  =>  z)  :  (’Oa  ->  ’Oa)  ret 


The  strength  of  ’a  when  type  checking  z  can  be  thought  of  as  being  "1,  which  is  then  incremented  by  the 
abstraction. 

Weak  polymorphism  has  been  developed  by  MacQueen  within  the  type  inference  algorithm  of  SML/NJ. 
Only  this  algorithm  has  served  as  the  definition  of  the  type  system,  and  unfortunately,  numerous  implemen¬ 
tations  have  been  shown  to  be  unsound.  Each  has  had  problems  which  could  be  ascribed  to  implementation 
details,  but  the  concept  has  not  been  proven  sound.  Additionally,  key  ideas  of  the  algorithm,  such  as  this 
conservative  approximation  at  application,  have  not  been  widely  known,  so  the  system  has  been  poorly 
understood  even  by  skilled  SML/NJ  programmers. 

This  paper  addresses  these  problems.  In  Section  3,  this  motivation  is  transformed  into  a  formalism,  the 
soundness  of  which  is  outlined  in  Section  4  and  given  in  full  in  the  Appendix.  In  Section  5,  it  is  shown  how 
this  formalism  relates  to  a  more  algorithmic  formalism,  which  is  also  sound.  Other  details  of  a  comparison  to 
the  algorithm  of  SML/NJ  are  presented  in  Section  6,  and  a  comparison  to  other  approaches  is  in  Section  7. 


3.  A  Declarative  Formalism  -  AE 


This  section  presents  a  formal  definition  of  an  ML-like  language,  related  to  the  previous  motivation  of 
weak  polymorphism.  This  includes  the  rules  and  motivation  for  the  syntax,  dynamic  semantics,  and  static 
semantics,  as  well  as  the  notation  used  in  the  semantics  and  proof. 

The  expression  language  used  is  defined  by 

x  €  variables 
l  £  locations 

e  £  expressions  ::=  x  \  l  \  ()  |  ref  e  |  !e  |  ei:=e2  |  let  x=e\  in  en  |  fn  x  =>  e 
v  £  values  ::=  l  \  ()  \  fn  x  ^  e 

The  free  variables  of  the  expression,  FV(e),  are  defined  in  the  usual  manner.  Capture-avoiding  expression 
substitution  is  denoted  [e'/x]e. 

An  empty  mapping  is  denoted  by  .,  while  the  extension  of  a  mapping  over  an  additional  domain  element 
is  denoted  like  A'[d  ►—  r].2  Mappings  are  also  abbreviated  like  [di  1 —  ri , . . . ,  dn  <—  <fn].  The  union  of  disjoint 
mappings  is  written  as  X,  X'. 


Dynamic  Semantics 

The  dynamic  semantics  is  defined  by  the  following  standard  rules,  where  a  memory  pi  is  a  finite  mapping 
between  locations  and  values.  The  judgment  p  He  v,p!  is  well-formed  if  e  is  closed  with  respect  to  all 
variables,  and  reads  “Given  the  memory  p.,  the  expression  e  evaluates  to  t>,  resulting  in  a  new  memory  p'  " 

pi  h  v  =>  v,  pi  (VAL) 


pi  He  =>  v,  p' 
pi  I-  ref  e  =>  l,  pi' [l  •— *  v] 


if  l  £  dom(p') 


(ALLOC) 


2 Except  for  type  assumptions,  written  like  Tfr  •  rl 
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H  b  e  => 
p  b  !e  => 


(CONT) 


p  b  ei  =>  /,  pt  pi  b  e2  =»  u,  p2[/  •— ■  i>'] 
P  t-  ei:=e2  =►  (), A*2[/  •—  v] 


(UPD) 

% 


p  b  e\  =>  /n  x  =>  e'^pi  pt  b  e2  =>  u2,p2  A*2  => 

P  b  eie2  =>  t/,p' 


(APPLY) 


fih  ei  =>  Mi  b  (ui/a:]e2  =>  u2,  p2 

p  b  let  x—ei  in  e2  =>  u2,p2 


(BIND) 


Static  Semantics 


The  types  and  type  schemes  are  defined  by 

s,  a,  w  €  strengths 
a,  (3  G  tyvars 
r  G  types 
cr  6  typeschemes 


Z  U  {00} 

a  |  unit  |  Ti— ►  r2  |  r  ref 
VE.r 


where  a  strength  context  E  is  a  finite  mapping  from  type  variables  to  strengths.  The  trivial  type  scheme 
V .  .r  is  abbreviated  by  r.  Since  all  instances  of  a  type  variable  in  a  type  or  type  scheme  must  have  the  same 
strength,  strength  contexts  are  used  to  maintain  consistency. 


The  free  (bound)  type  variables  of  a  type  or  type  scheme  are  denoted  by  FTV(r)  (BTV(r)).  These 
functions  are  also  extended  to  location  and  variable  type  assumptions,  and  are  also  extended  to  be  n-ary 
functions  so  that,  for  example,  FTV(  A,  T)  =  FTV(  A)  U  FTV{ T). 

Type  variables  of  non-positive  strength  are  critical ,  or  Crits(A),  if  for  all  a  G  .4.  E(o)  <  0.  Similarly. 
NonCritz(A) ,  if  for  all  a  G  ,4,  E(o)  >  0.  A  type  is  (non-)critical  relative  to  E  if  all  of  its  type  variables  are 
(non-)critical  in  S. 

Weaker^(A,  s)  holds  if  for  all  #G  A,  E(a)  =  00  or  E(a)  <  s,  and  similarly,  SWeaker^(A,  s)  holds  if  for 
all  a  G  A,  E(a)  <  s.  Let  (E  +  c)(a)  =  E(a)  +  c.  The  minimum  of  ».*  0  strength  contexts  having  the  same 
domain,  min(Ei,E2),  is  defined  by  the  point-wise  minimum. 

A  strength  context  E'  is  weaker  (below  s)  than  strength  context  E  of  the  same  domain,  E'  <,  E.  if  for 
all  a  G  dom( E'),  E'(a)  =  E(a)  whenever  E(a)  >  s,  and  otherwise  E'(a)  <  E(a).  Of  particular  interest  is 
the  case  when  s  s=  1,  which  implies  that  the  two  strength  contexts  agree  on  all  positive  strengths,  but  that 
E'  is  more  critical  than  E.  Note  that  E'  4-  1  <s  E  +  I  implies  E'  <,  E,  which  implies  E'  <s+1  E,  but  the 
converses  do  not  hold. 

Instantiation  is  defined  much  as  it  is  in  the  standard  Hindley-Milner  type  system,  but  with  restrictions 
on  weak  type  variables.  A  type  scheme  instantiates  to  a  type, 

V[oi  i—  S1; - an  Sn].r  >  t' 

if  there  exists  a  type  substitution  S  =  [«i  >-*  t\  , . . . ,  an  ►—  r„]  such  that  S(r)  =  r',  and  for  ail  «  G  FTV'(n ), 
E(a)  <  Si.  Similarly,  relative  to  E,  a  type  scheme  <r'  is  more  general  than  cr,  written  bv  cr'  >  cr.  if  for  any 
type  r  such  that  bj;  cr  >  r,  then  bs  <r'  V  r.  For  example,  for  any  j  <  i, 

b,  V[a  i].a— *a  >  V[a  •— *  j].a— > -a 
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but  not 

h.  V[a  •— ►  jj.a— a  >  V[o  •—  i].a— a 

and  the  type  schemes  V[a  •—  j,  /j  i— . .  i].a— ►/?  and  V[a  • — ►  i,  /l?  < —  j].a — /?  are  incomparable. 

A  type  judgment  A;  T  t-v  e  :  r  reads  “With  strength  context  E,  given  the  location  type  assignment  A 
and  variable  type  assignment  T,  e  has  type  r.”  Such  a  judgment  is  well-formed  if  dom(E)  D  FTV(  A.  T,  r) 
and  this  relation.  Derivability  is  defined  by  the  following  rules  which  use  the  definitions  in  the  remainder  of 
this  section. 


Fs  T(j)  >  r 
A;T  hE  x  :  r 


(VARd) 


m  =  i 

A;  T  hs  /  :  r  ref 


(LOCd) 


A;  rhs  ()  :  unit' 


(UNITd) 


A;  f  1-;  e  :  r 
A;  T  re/e  :  r  ref 


if  Cntv{FTV(r)) 


(REFd) 


A;  T  h %  e  :  r  ref 
A;  T  hs  !e  :  r 


( -D ) 


A;  r  hs  ei  :  r  ref  A;  T  l~s  e2  :  r 
A;  T  l~s  ei  :=e2  :  unit 


A;  T  Hs+1  ei  :  r2— *r  A;  T  e2  :  r2 

A;  n-E  ei  e2  :  r 


if  Weakers(FTV(T2),  0) 


(APPd) 


A;  £[z  :  n]  hv_i  e  :  r2 
A;T  l-s  /n  x  =>  e  : 


if  x  ^  dom(r) 


(LAMd) 


A;  r  H jj'  ei  :  ri 
A;  T[x  :  VE'.ri]  hj;  e2  :  r2 

A;  T  hs  let  x=e\  in  e2  :  r2 


,z  ^  dom(r),  NonCntz>(dom(E')),  and 
Wea/fcers((/’TVr(rl)  fl  dom(E))  —  FTV(A,  r), 0) 


(LETd) 


Note  that  the  strengths  are  incremented  and  decremented  in  (APPd)  and  (LAMd)-  The  side  condition 
of  (APPd)  enforces  the  conservative  approximation  previously  described.  The  side  condition  on  (REFd) 
simply  reflects  the  usual  treatment  of  ref  as  a  functional  primitive  having  the  type  scheme  V[a  ■—  l].a— a  ref. 

In  (LETd),  £  and  E'  have  disjoint  domains  by  the  definition  of  the  map  union  operator.  So,  by  the 
well-formedness  of  the  second  precondition,  the  domain  of  E'  is  disjoint  from  the  free  type  variables  of  both 
type  assumptions.  By  using  the  strength  context  E 1  only  in  the  first  subderivation,  it  is  explicit  that  the 
names  of  the  generalized  type  variables  are  relevant  only  locally. 

The  last  side  condition  of  (LETd)  states  that  any  finitely  positive  type  variables  in  T\,  but  not  in  the 
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type  assumptions,  must  be  generalized.  Without  this  restriction,  the  following  judgment  is  derivable. 

b[a_2j  let  x=fn  -  =>  fn  y  =>  ref  y  in  j()  :  a— a  re/ 

This  is  a  very  technical  condition.  It  disallows  the  rule’s  use  if  any  type  variable  in  FTV(r\)  D  FTV(rn)  — 
FTV A,  T  is  finitely  positive  in  E.  But,  if  this  were  the  case,  there  exists  another  derivation  to  allow  the  let 
expression  to  type  by  renaming  these  type  variables  in  rj  with  fresh  type  variables,  and  adding  them  to  E'. 

To  relate  the  locations  in  the  dynamic  and  static  semantics,  a  memory  p.  type  matches  (with  respect  to 
E/  the  type  context  A  ,  or  bs  pt  :  A,  if  dom(p)  =  dom{ A),  if  for  all  l  £  dom(p),  A;,  bv  p(l)  :  A (/). 


4.  Soundness 


This  section  presents  an  overview  of  the  soundness  proof  of  the  formalism,  including  the  statement  and  proof 
sketches  of  the  theorem  and  main  lemmas.  For  the  full  proof,  refer  to  the  Appendix.  Soundness  is  shown 
by  proving  a  form  of  type  preservation  under  evaluation,  as  in  [2,  3,  12,  15].  The  theorem  and  lemmas  are 
similar  to  those  for  the  functional  Hindlev-Milner  and  Tofte’s  imperative  type  systems,  except  that  extra 
conditions  are  needed  to  keep  tight  control  on  the  strengths  of  pertinent  type  variables,  and  the  notion  of 
an  occurrence  adds  many  complications. 


Unfortunately,  while  evaluation  preserves  types,  it  does  not  necessarily  preserve  strengths.  For  example, 
consider  the  following  expressions: 

e0  =  fn  z  z 

ex  =  fn  x  ^  fn  y  =>  xeoeo 

e2  =  fn  a  =>  (let  b=ref  a  m  fn  c  =>  !6)() 
e  —  eie2 

v  =  fn  y  =>  e2e0eo 

In  particular,  e2  is  a  function  which  is  assigned  a  critical  type,  and  e  evaluates  to  v.  The  strongest  typings 
for  e  and  v  are 

b[a„0„tf— oo]  e  :  J — o— a 
oo]  »  '■  d— ■a— a 

It  is  sound  to  assign  the  stronger  type  to  v,  but  the  analysis  provided  by  the  formalism  is  not  able  to  give 
this  stronger  type.  As  will  be  proved,  no  such  example  exists  for  non-critical  types. 

This  does  not  entirely  contradict  the  usual  intuition  that  if  e  evaluates  to  v,  then  v  could  be  given  a  more 
general  type  than  e.  In  most  cases,  v  could  be  assigned  the  same  or  higher  strengths.  For  a  simple  example, 
consider 

e  =  (fn  x  =>  x)(fn  y  =>  ref  y) 
v  =  fny =>  refy 


Since  b(Q_0]  e  :  a— a  ref ,  the  Type  Preservation  theorem  states  that  there  exists  a  critical  strength  s  such 
that  b[a_,]  v  :  a—*a  ref.  But,  in  fact,  v  can  be  typed  with  the  higher  strength  context  [« >—  1]. 

The  Top-Level  Type  Preservation  theorem  states  that  if  e  evaluates  to  u,  then  e  and  u  have  the  same 
type,  although  v  may  require  more  critical  strengths.  Furthermore,  any  cells  created  during  this  evaluation 
have  critical  types. 

Theorem  (Top-Level  Type  Preservation  Under  Evaluation)  If  pi  b  e  =>  v,  p! ,  and.-,,  br  e  :  r,  then 
there  exists  Aq,  and  Eq  <i  E  such  that  Aq;.  bs0  v  :  r,  bs0  pi'  :  Ao,  and  Critz0(FTV( Ao))- 
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Proof  Sketch:  This  is  proved  by  generalizing  the  theorem  to  all  location  type  assumptions,  and  general)  ;"g 
the  strength  context,  and  then  by  structural  induction  on  the  evaluation  derivation.  The  (APPLY',  md 
(BIND)  cases  require  the  following  Value  Substitution  lemma.  The  last  assumption  f  that  lemma  is  achieved 
through  the  side  conditions  on  the  (APPd)  and  (LETd)  rules.  The  rest  of  the  cases  are  not  difficult,  although 
extensive  use  is  made  of  the  Weakening  and  Strengthening  lemmas.  D 


The  Value  Substitution  lemma  states  that,  under  restrictions,  the  type  ot  an  expression  is  stable  under 
substitution  of  a  value  for  a  variable  of  more  general  type.  The  result  of  the  substitution  may  require  more 
critical  strengths. 

Lemma  (Value  Substitution)  If 

•  A;.  Hs.St  v  :  Ti, 

•  A; r[*  :  VEi.ti]  hs  e  :  r2,  and 

•  Weakers(FTV(A,  rj)  fi  dom(E),0), 

then  there  exists  E'  <1  E  such  that  A;  T  hv;<  [v/ x\e  :  r2. 

Proof  Sketch:  This  lemma  must  also  be  generalized  to  allow  a  proof  by  structural  induction  on  the  type 
derivation  of  e.  In  general,  the  strength  context  for  the  second  assumption  is  of  the  fuim  (E.E2)  +  c.  and 
for  the  conclusion,  (E',E2)  +  c.  The  strength  context  E2  accounts  for  the  local  type  variables  in  the  (LETd) 
case,  which  cannot  be  allowed  to  decrease.  The  constant  c  generalizes  the  constant  1  or  —1  added  in  the 
(APPd)  and  (LAMd)  cases.  Because  of  the  generalization,  the  only  interesting  case  is  when  e  =  x.  which  is 
proved  as  an  instance  of  the  following  Type  Substitution  lemma  and  Weakening.  □ 

Lemma  (Type  Substitution)  If 

•  A;  T  hs,Si  e  ■  r, 

•  S  =  [on  n . an  *—  rn], 

•  for  all  1  <  i  <  n,  SWeaker{r .z2)+c(  FTV(ri),  Ei(o,  )), 

•  Weakerz(FTV(A,  T,  r)  ft  dom(E),  0), 

then  there  exists  E'  <i  S  such  that  5(A);  5(T)  bfS'.Sji+c  e  :  5(r). 

Proof  Sketch:  As  with  Value  Substitution,  the  strength  contexts  are  generalized  so  that  the  resulting 
lemma  may  be  proved  by  structural  induction  on  the  type  derivation.  In  particular,  the  first  assumption 
uses  (E,  Ei,  Eo)  +  c',  and  the  conclusion  uses  (((£',  E2)  +  c),  Eo)  +  c' . 

The  (VARd)  base  case  is  then  proved  by  finding  an  appropriate  E'  such  that  the  required  instantiation 
holds.  Similarly,  the  (REFd),  (APPd),  and  (LETd)  cases  require  calculating  an  an  appropriate  E'  such 
that  the  side  conditions  hold,  as  well  as  using  the  Ground  Type  Substitution  lemma  to  eliminate  some  type 
variables  from  consideration.  The  remaining  cases  follow  easily.  □ 


There  are  several  other  lemmas  to  strengthen  and  weaken  type  derivations.  The  previously  mentioned 
Ground  Type  Substitution  proves  that  any  type  derivations  are  stable  when  type  variables  are  consistently 
replaced  by  ground  types.  Strengthening  states  that  unused  variables  may  be  discarded  from  the  variable 
type  assumption  and  strength  context.  And  Weakening  shows  that  extra  assumptions  are  allowed  in  the 
location  and  variable  type  assumptions  and  the  strength  context,  and  that  the  finite  strength  numbers  may 
be  safely  decreased.  In  particular,  AE  does  not  allow  infinite  strengths  to  be  decreased  arbitrarily.  For 
example, 

/»  /  =>  fn  x  ^  fx  :  (a— 5)—  Q—li 

only  if  c  =  oo  or  c  <  2. 
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5.  Algorithmic  Formalisms 


The  implementation  of  SML/NJ  does  not  use  this  motivational  formalism.  While  similar,  one  of  its  core  ideas 
is  the  use  of  an  occurrence  which  approximates  the  surrounding  syntactic  context  of  a  subexpression.  The 
"top-level"  occurrence  is  named  Root,  and  the  mappings  on  occurrences  are  named  Rator{  •).  Rand(  ).  Abs(  ). 
and  Let(-),  on  application  functions,  application  arguments,  abstraction  bodies,  and  /et-bound  expressions, 
respectively.  Various  versions  of  SML/NJ  include  different  fields  in  occurrences,  and  the  remainder  of  this 
paper  discusses  the  two  primary  ones,  while  other  features  not  used  are  discussed  in  Section  tj. 


The  Systems  AE~  and  A'P 


Instead  of  incrementing  and  decrementing  every  strength  in  the  context  at  every  abstraction  and  application, 
a  single  offset  can  be  used.  This  offset,  called  the  abstraction  depth ,  is  the  first  field  of  an  occurrence. 
Thus,  we  can  split  the  strength  context  E  into  a  strength  context  and  an  abstraction  depth  a  such  that 
E  =  —  a,  and  the  typing  rules  can  be  written  leave  fixed.  The  abstraction  depth  of  a  given  subsexpression 

approximates  the  number  of  times  that  subexpression  is  applied  in  the  whole  expression.  The  only  effect  of 
making  such  a  change  is  an  increase  in  efficiency. 

In  order  to  motivate  the  other  field  used  here,  we  digress  temporarily.  A  more  restrictive  version  of  the 
typing  rule  for  applications  would  be 


A;  T  l~s+i  ej  :  To— >r  A;  T  e2  :  r2 

A;  rhs«,  e2:r 


if  Weakerr(FTV(A,  P,  To),  0) 


(APP'd) 


The  type  system  AE~  resulting  from  replacing  (APPp)  with  (APP'd)  is  sound  since  it  is  a  (strict)  subsystem 
of  the  original. 

Surprisingly,  however,  the  Value  Substitution  lemma  does  not  hold  in  AE_.  For  example,  let 

e  =  /na=>a()()() 

e  =  fn  y  =>  let  u—ref  y  in  x 


so  that  they  are  assigned  non-critical  types 

.  P[c»— oo]  v  '■  nn,t — unit— >unit — a 

.;[x  :  unit-— unit— ‘unit— a]  e  '■  Id — ( unit— unit— unit— a)— n 

but  the  result  of  substitution  is  typed  as 

b[OH_oo,/3»-o]  [tt/z]e  :  fd—  (unit- unit—  unit—  a)- a 

where  a  non-critical  strength  has  been  lowered.  As  a  result,  the  soundness  of  this  system  cannot  be  shown 
directly  using  the  same  style  of  proof  as  in  Section  4. 


Use  of  the  second  component  of  the  occurrence,  the  maximum  weakness  w,  allows  the  side  condition 
on  (APP'd)  to  be  replaced  by  a  check  at  instantiation.  For  this  system,  there  is  no  reason  to  prefer  this 
alternative,  although  some  motivation  will  be  given  for  other  systems.  The  maximum  weakness  is  an  upper 
bound  on  finite  strengths  in  The  mappings  on  occurrences  (a.  w)  are  then  defined  by 


Rand(a,  w) 
Ratori  a,  w) 
Abs(  a,  w) 
Let(a,  w ) 
Root 


(a,  min  (a,  w)) 
(a  -  1 ,  ui) 

( a  +  1 ,  w) 
(a,oo) 

(0,  oo) 
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A  type  judgment  \;T  \~*  a  w  e  :  r  reads  “With  strength  context  at  the  occurrence  containing  the 

abstraction  depth  a  and  maximum  weakness  w,  and  given  the  location  type  assignment  A  and  variable  type 
assignment  T,  e  has  type  r."  Such  a  judgment  is  well-form  if  dom('P)  D  FTV(\,  V ,r).  Derivabilitv  in 
is  defined  by  the  following  rules. 

— 4rr~  -  t/  Weaker*(  FTV( A,  T,  r),  w) 

A;  T  r*.a  u,  x  :  r 

(VARa) 

.  A(/)  Zl -  ,/  Weaker*  ( FTV(A,  T),  w) 

A;  r  jo  l  :  r  ref 

(LOC’a) 

A;  T  'r*:a,w  ()  :  un»<  if  Weaker*(FTV( A,  T),  w) 

(UNITa) 

A;F  h*.Rand(a.un  e  :  r  lf  Cnt<t_a(FTV(r)) 

A;  L  P*;a,u)  refe  -.r  ref 

(REFa) 

A;  T  1 ~*,a,w  e  :  r  ref 

A;  T  \-*  a,w  'e  '■  T 

(•a) 

A;  T  \~*-a,w  «t  :  r  ref  A;  T  eo  :  r 

A;  T  1 ~*,a,w  et:=eo  :  amt 

(:  =  a) 

A;  T  *  RatoT\a ,w)  tx  :  r2~*r  A;  T  V *  ftand(a,w)  •  T- 

A;  T  l~4r;a.  w  ei  p2  '■  T 

(APPa) 

A;r[x  :n]H,Awe:t3  ,f  x  £  dom( D 

A;  T  fn  x  =>  e  :  T\ — To 

(LAMa) 

A .  rfj  T^Z  *'  Lne!ri^)  e‘  '  r‘  .  r  if*  t  dom(D,  NonCnt*,-a(dom(V)),  and 

A’  P[x  W  -  a.n]\-*,a.we,.r 2  if  Weaker*((FTV(ri)  n  dom{}ff))  _  F  TV{y  r),  a) 

A;  f  P*;a,w  let  x-e\  in  eo  :  To 

(LETa) 

Only  the  abstraction  depth  is  incremented  and  decremented  in  (APPa)  and  (LAMa)-  But,  the  strength 
context  offset  by  the  abstraction  depth  is  now  used  in  (VARa),  (REFa).  and  (LETa). 

Since  Let(a,w)  =  (a,  to),  (LETa)  places  no  upper  bound  on  the  strengths  of  the  type  variables  in  ft' 
The  strengths  in  "f/  are  still  bound  by  the  maximum  weakness  w  in  the  type  derivation  of  e 2-  If  instead 
Let(a,  w)  =  (a,  w),  then  there  would  be  no  generalization  in  expressions  such  as  f(lel  x—fn  z  ref  z  in  e ). 
Similarly,  the  top-level  occurrence  Root  also  has  an  infinite  maximum  weakness,  so  that  no  extra  constraints 
are  placed  on  strengths. 

By  structural  induction,  it  is  easy  to  show  that 


Lemma  (Maximum  Weakness  -  A'P  )  If  we  :  r,  then  Weaker*(  FTV(  A.  f.  r),  w). 


In  particular,  this  implies  that  the  side  condition  of  (  APP'd)  is  satisfied  by  this  system,  also.  Thus  it  is  easy 
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to  show  by  induction  that 


Lemma  (AS  Contains  A'F  )  If  A;  T  Fyawe  :  r.  then  A;  T  !-*_«  e  :  t. 

In  fact,  these  two  systems  are  equivalent,  in  the  sense  that  they  admit  the  same  derivations  at  the  "top-lever . 
This  follows  from 

Lemma  (A'F-  Contains  AS")  If  A;  T  h*_a  e  :  r.  and  Weaker^[FTV(\S  .r),  w).  then  A;  T  h#;a  w  t  :  r 
which  is  proved  by  structural  induction,  and  using  Ground  Type  Substitution. 

The  System  A'i' 

The  SML/NJ  implementation  is  not  as  restrictive  in  its  use  of  the  maximum  weakness.  The  following  changes 
result  in  a  system,  A'F,  more  like  AE  and  the  implementation. 


— - — a  ^ — -  if  Weaker <b(  FT V(r),  w) 

(VAR'a) 

A;  T  hy.a,w  -p  :  r 

A (/)  =  r  ref 

(LOC'a) 

A;  T  Fy  a.w  l  '■  T 

A;  r  unit 

(UNIT'a) 

For  this  system,  it  might  be  argued  that  the  side  condition  of  (VAR'a)  is  more  efficient  than  that  of  ( APPr>) 
since  instantiation  must  examine  the  strengths  of  some  of  the  type  variables  of  r  anyway. 

This  system  is  strictly  less  conservative  than  A'F-  and  AE-,  but  is  incomparable  with  AE.  For  example. 

if 

e  =  (/n  c  =>  z)(fn  a  =>  let  x—fn  y  =>  ref  a  in  fn  b  ^  ref  b) 

then  in  A»F  we  have  P[o„20.-o )  Root  e  re/.  But,  in  AE,  the  finite  strengths  of  the  argument 

must  be  critical,  so  a  is  at  most  0.  And  if 

e  =  (/n  c  =>  (fn  x  =>  fn  y  =>  z)(::=fn  a  =>  ref  a)( ))( ref  (fn  a  =>  ref  a)) 

then  in  AE  we  have  F[0— o]  e  '■  a— a  ref.  But,  in  A®,  a  can  only  have  strength  -1  at  the  occurrence  Root. 
It  can  be  shown,  however,  that  an  expression  typable  in  AE  is  also  typable  in  A*F  at  the  top-level  occurrence 
by  only  lowering  critical  strengths. 

As  a  result,  the  soundness  of  this  system  is  still  open,  as  is  its  stability  under  substitution.  One  factor 
that  complicates  proofs  is  that  only  very  weak  forms  of  a  Maximum  Weakness  lemma  hold  as  in  the  following. 

Lemma  (Maximum  Weakness  -  A'F)  If  \,V  a  w  e.  :  ri— - *r„,  then  Weaker^(FTV(Tn).  w). 


The  Systems  AE+  and  A'k+ 

The  conservative  approximation  at  application  in  all  of  the  previous  systems  is  overly  conservative.  As 
motivated,  the  finite  strengths  of  the  argument  type  must  be  critical,  because  the  function  may,  in  turn. 
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apply  its  argument  to  other  arguments,  possibly  creating  a  reference  cell.  If  the  argument  is  purely  functional, 
however,  this  is  impossible.  But  by  using  the  same  strength  jontext  (modulo  a  constant  offset)  to  type  both 
the  function  and  argument,  this  cannot  always  be  detected.  For  example,  in  AD, 

b[o_0 ./J—OO]  (fn  1  =>  fn  IJ  =>  ref  x)(fn  a  =>  a)  :  J— («— cv  ref) 

Here,  the  argument,  the  identity  function,  must  be  given  a  weak  type  to  match  the  strength  of  the  function 
domain. 

The  following  more  complicated  application  rule  does  not  force  the  conservative  approximation  on  the 
type  variables  of  the  argument  which  "could  have  been"  of  infinite  strength. 


A;  T  1~e+i  ej  :  r2— r  A;  T  hv.  e*>  :  r2 
A;f  hr  fj  en  :  r 


Weakerr'(FTV{T2),0),  and 
ifZ'(a)  >  D(a)  if  ae  FTV(t2)  -  FTV( A.  T) 
D'(a)  =  D(a)  otherwise 


(APP"n) 


This  effectively  makes  part  of  unification  explicit  in  the  formalism.  The  system  AD+,  using  this  application 
rule,  is  strictly  less  conservative  than  AD.  The  soundness  proof  extends  to  this  system  with  litt  le  modificat  ion 
only  if  a  weakening  rule  such  as  the  following  is  also  included. 


A;  T  hs  e  :  r 
A;  T  b v'  e  :  r 


;/D'  <  D 


(VVEAKEXo) 


where  D'  <  D  if  D'  is  point-wise  less  than  or  equal  to  D.  Because  of  the  Weakening  lemma,  it  would  be 
sufficient  for  the  side  condition  to  state  that  D  and  D'  aggree  on  all  finite  values  in  D.  Without  such  a  rule, 
the  system  is  not  stable  under  substitution,  but  still  might  be  sound. 

This  weakening  rule  is  only  useful  immediately  preceding  application,  so  the  typing  rules  could  be  com¬ 
bined.  This  would  restore  the  syntax-direct.edness  of  the  system,  but  would  further  complicate  the  side 
conditions  on  the  application  rule. 

The  algorithmic  system  Atl»+  can  be  defined  simi1  irly.  and  is  the  most  SML/NJ-like  system  in  this  paper. 
Like  A*!*,  however,  its  soundness  is  still  open. 


6.  Relation  to  SML/NJ 


Some  differences  between  SML/NJ  and  the  formalisms  are  primarily  syntactic.  First.  SMI,  types  correspond 
to  the  pairing  of  types  and  strength  contexts.  And  unlike  SML.  the  formalisms  restrict  the  reference  prim¬ 
itives  to  their  fully  applied  forms.  It  would  be  equivalent  to  replace  the  inference  rules  for  the  reference 
primitives  with  the  following 

ref  V(q  i—  Ij.or— *o  ref 

!  V[q  •—  to], a  ref — a 
:=  V[a  ►—  Xij.a  ref—a—nmt 

in  the  variable  type  assumption,  or  as  the  equivalent  axioms.  The  disadvantage  of  this  alternative  is  that 
values  must  be  given  to  the  evaluation  of  partially  applied  primitives,  which  complicates  the  dynamic  se¬ 
mantics  and  loosens  the  correspondence  of  the  inference  rules  of  the  static  and  dynamic  semant  ics.  However, 
the  algorithmic  formalisms  are  slightly  stronger  than  the  implementation  in  that  the  type  inference  rules  for 
!  and  :=  do  not  use  Rand{  )  as  does  general  application.  This  is  safe  since  these  primitives  are  known  not  to 
create  any  cells  when  partially  applied. 

The  implementation  implicitly  uses  (WEAKENq)  when  unifying  types  in  the  application  case.  It  was 
omitted  from  the  majority  of  the  formalisms  because  its  non-syntax-directed  nature  complicates  proofs.  Or, 
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if  combined  with  the  application  rule  of  each  system,  it  would  hinder  comprehension.  The  systems  are  sound, 
and  admit  more  types  for  expressions,  but  apparently  do  not  type  more  expressions  with  its  addition. 

Sequencing,  ei;eT,  can  be  treated  as  syntactic  sugar  for  let  z=e \  in  en.  where  c  is  new.  The  type  inference 
rule  in  the  declarative  framework  would  be 

A;  ri-s  ei  :  Ti  A;  r  hr  en  :  ro 

A;  T  1-v  ei ;  63  :  rs  ^ 


In  the  declarative  formalisms,  either  definition  of  sequences  admits  the  same  expressions  to  be  typed,  al¬ 
though  the  definition  as  a  let  expression  allows  more  derivations. 

Also,  the  implementation  has  three  additional  fields  in  the  occurrence.  The  lambda  depth  is  similar  to  the 
abstraction  depth,  bu'  is  not  decremented  in  Ratorf).  Its  use  seems  to  be  to  prevent  function  expressions 
from  being  given  critical  types  (except  when  the  function  is  used  as  an  argument,  of  course).  In  later  versions, 
the  base  field  provides  a  simpler,  but  unsound,  analysis  which  allows 

(let  val  x  =  ref  (fn  z  =>  z)  in  fn  y  =>  x  end)  ()  :  (’la  ->  ’la)  ref 

It  is  unclear  how  either  of  these  relate  to  the  declarative  formalisms.  The  outer  field  allows  curried  function 
applications  to  be  treated  somewhat  like  a  single  uncurried  application,  by  using  the  same  occurrence  for 
each  of  its  arguments.  This  corresponds  to  having  a  single  application  rule  for  typing  multiple  curried 
arguments  at  once,  as  in 


A;  T  l-s+r,  eo  ■  ■  •  •  tv,—  r  A;  T  t~s  ei  ■  n  if  Weakers(FTV(ri),0), 

A;  rhse0e1...en  :  r  for  all  1  <  i  <  n 


(APP  -  manyD) 


Because  of  side  effects,  the  implementation  effectively  does  not  use  the  same  strength  context  when  type 
checking  multiple  antecedents  of  an  inference  rule.  For  example,  when  type  checking  the  following  expression, 
the  implementation  decrements  the  same  strength  counter  for  each  application  f(). 

fn  a  =>  let  val  f  =  fn  b  =>  fn  c  =>  ref  a  in  f();  f();  f()  end 
:  ’Oa  ->  ’c  ->  ’Oa  ref 

However,  the  formalisms  allow  the  expression  to  have  the  type  a— -7 — a  ref.  with  the  expected  strength. 

L(a)  =  2. 


7.  Comparisons  with  Other  Related  Systems 


Weak  polymorphism  is  often  explained  as  it  is  here,  as  a  generalization  of  Tofte's  imperative  type  system, 
but  this  is  not  entirely  correct.  Tofte’s  system  uses  two  inference  rules  for  type  checking  let  expressions. 
One  generalizes  all  type  variables  when  the  /ef-bound  expression  is  non-expansive.  The  other  generalizes 
applicative  type  variables  when  the  expression  is  expansive.  If  an  expression  of  critical  type  were  necessarily 
expansive,  then  the  let  type  inference  rule  would  subsume  both  cases,  but  this  is  not  so.  For  example,  in  the 
declarative  systems, 

fn  a  =>  (let  x  =  ref  a  in  fn  y  ^  r)()  :  n— a  ref 

only  if  s  <  0.  Thus,  the  expression  is  of  critical  type,  but  non-expansive.  Thus,  we  conjecture  that  restricting 
any  of  the  formalisms  to  using  only  the  strengths  0  and  x>,3  and  augmenting  it  with  Tofte's  non-expansive 
let  type  inference  rule  is  strictly  more  powerful  than  Tofte’s  system. 


1  Where  0  —  n  =  0,  0  +  n  =  0,  and  00  —  n  =  0,  for  any  n. 
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Hoang,  Mitchell,  and  Viswanathan  [4]  proved  the  soundness  of  a  different  type  system  based  on  weak 
types.  They  permit  different  strengths  on  separate  instances  of  a  type  variable  in  a  type  as  in 

In  f  =>  f  nil  :  (’sa  list  ->  ’sa)  ->  ’(s  —  l)a 

for  any  finite  strength  s.  The  decremented  strength  of  the  function  result  reflects  the  single  applicat  ion  in  the 
function  body.  This  generalization  of  the  SML/NJ  approach  gives  a  more  informative  analysis  of  strengths, 
even  for  purely  functional  terms  as  above,  which  eliminates  the  need  for  the  conservative  approximation 
of  strengths  at  function  applications.  As  a  result,  they  claim  that  their  system  is  more  general  than  that 
of  SML/NJ  and  provide  empirical  evidence  of  this,  but  they  lack  a  formalization  of  SML/NJ  to  prove  the 
claim. 

In  their  analysis  of  reference  creation,  both  weak  and  imperative  types  label  type  variables  with  infor¬ 
mation.  Another  approach  is  to  label  type  arrows  with  effects,  an  approximation  of  the  change  in  the  store. 
The  static  semantics  then  derives  both  a  type  and  an  effect  for  an  expression,  and  generalization  is  then 
defined  relative  to  those  effects.  This  approach  is  taken  by  Damas  [1],  Leroy  and  Weis  [6],  Reynolds  [9], 
Talpin  and  Jouvelot  [10,  11],  and  Wright  [13].  A  slightly  different  approach  is  given  by  Leroy  [5],  where  type 
arrows  are  labelled  with  types  that  may  occur  in  references.  He  also  provides  a  comparison  of  this  approach 
with  some  of  these  others. 

For  a  comparison  of  some  of  these  systems  to  each  other,  see  Wright  [13].  Also  refer  to  O'Toole  [8]  for 
a  rough  comparison  of  four  systems,  including  MacQueen’s.4  In  general,  this  approach  appears  to  be  more 
powerful  than  weak  types,  although  existing  systems  are  incomparable.  Furthermore,  the  systems  using  this 
approach  have  simpler  inference  rules  than  those  shown  here  for  weak  polymorphism.  However,  in  practice 
the  approach  may  be  unwieldy,  because  of  the  size  of  the  type  arrow  labels. 

Weak  polymorphic  types  may  be  examined  with  this  approach  as  well.  As  a  rough  outline,  the  types  are 
defined  as 


r  ::=  o  ]  unit  \  r  —  r 

<r  ::=  Vo; , . . . ,  n„.T 

where  £  is  a  set  of  type  variables  with  the  restriction  that  in  the  type  77  —  ■  ■  ■  —  r„,  if  n  £  E, ,  then 
a  €  Ei+\.  (Unfortunately,  we  see  no  obvious  motivation  for  this  restriction  in  this  setting.)  Then  the  type 

t  =  77— * - >rn  in  the  strength  context  L  corresponds  to  the  type  77  —  •  ■  •  E— 1  rn  paired  with  the  effect 

Eq,  where  E,  =  [a|a  €  FTV(t),E(q)  <  i}.  The  following  table  gives  some  examples  of  the  correspondence 
to  SML/NJ  types: 


’Oa  ref 

’la  ->  ’la  ref 
’2a  ->  ’b  ->  ’2a  ref 
(’2a  ->  ’Oc)  ->  ’lb  ->  ’2a 


a  ref,  {o} 
a  o  ref,  0 
a  —  ,3  —  a  ref,  0 
(a— a)  —  li  n—  a,  {7} 


Wright  [14]  suggests  that  all  of  these  systems  are  too  complex  for  a  practical  type  system,  particularly 
in  combination  with  modules.  He  notes  that  generalization  is  always  sound  if  restricted  to  values,  and  gives 
empirical  evidence  that  this  restriction  is  not  a  great  sacrifice  in  programming  flexibility. 


1 0’Toole  incorrectly  allows  generalization  of  critical  type  variables  in  his  formalization  of  weak  polymorphism. 
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8.  Conclusions  and  Future  Work 


We  have  motivated  and  described  several  formalisms  of  weak  polymorphic  types  which  are  quite  similar  to 
that  of  SML/NJ.  In  particular,  the  algorithmic  family  of  calculi  closely  model  the  details  of  the  implementa¬ 
tion.  Most  of  these  have  been  proven  sound  with  respect  to  the  standard  call-by-value  operational  semantics. 
Naturally,  any  of  these  could  be  incorporated  into  SML/NJ,  to  restore  proven  soundness  to  its  type  system. 
But,  since  weak  polymorphism  is  also  used  to  type  continuations  and  exceptions,  it  should  be  verified  that 
extending  the  system  with  these  features  is  sound,  although  no  complications  are  expected.  The  soundness 
of  the  remaining  formalisms,  A'?  and  A^+,  should  also  be  determined,  since  they  are  closely  related  to  the 
implementation. 

Despite  the  similarities  to  SML/NJ,  detailed  comparisons  are  still  somewhat  difficult  because  the  im¬ 
plementation  has  a  broader  definition  of  occurrences,  and  it  uses  side  effects.  The  A'?  family  of  formalisms 
could  be  enriched  with  the  more  general  definition  of  an  occurrence  to  further  study  some  of  these  details. 
We  conjecture  that  using  the  lambda  depth  field  allows  more  function  expressions  to  be  non-critically  typed, 
but  still  does  not  allow  the  type  preservation  theorem  to  hold  without  using  more  critical  strengths. 

These  systems  should  be  systematically  compared  to  the  alternate  formalization  of  weak  types  found  in 
[4].  This  would  test  the  claim  that  their  approach  is  strictly  more  general  than  that  of  SML/NJ.  It  also 
provides  a  potential  method  of  proving  the  soundness  of  Atf  and  AtH+.  should  their  system  be  more  general 
than  these  two  calculi. 

Many  of  the  side  conditions  in  the  type  rules  are  complex.  This  is  especially  true  of  the  more  powerful 
application  rules,  which  more  closely  model  the  implementation.  Since  simplicity  is  one  goal  of  a  type 
system,  so  that  it  can  be  easily  understood  by  the  programmer,  this  points  to  a  fundamental  problem  of 
practicality  for  the  approach  of  weak  polymorphism. 

The  connection  between  type  systems  which  label  type  variables  and  those  which  label  type  arrows 
should  also  be  further  explored.  Since  specific  systems  of  these  two  approaches  are  generally  incomparable 
in  power,  it  may  be  worthwhile  to  somehow  combine  the  ideas  in  one  system.  However,  such  a  combination 
would  likely  result  in  types  too  cumbersome  in  practice. 
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Appendix  -  Proof 

This  appendix  presents  the  proofs  of  the  soundness  theorem  and  lemmas  for  system  AE.  as  outlined  in 
Section  4.  They  are  presented  in  the  order  of  their  dependence. 

Lemma  1  (Weakening)  If 

•  A;  T  l~So  e  :  t, 

•  Si  <oo  So, 

•  FTV( A',P)  C  dom(E0,  Sj), 

•  dom(  A)  D  dom( A')  —  0,  and 

•  dom(r)  D  dom(T')  =  0, 

then  A,  A';  T,  T'  e  :  r. 

Several  subcases  of  this  weakening  lemma  are  used,  and  it  is  proved  by  straightforward  structural  induc¬ 
tion  on  the  type  derivation. 

Lemma  2  (a- Renaming  Type  Substitution)  If 

•  A;  T  He  e  :  r, 

•  S  =  [<*1  >—  a\, . . .  ,an  >—  »!,], 

•  dom(S)  C  dom(E),  and 
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•  rng(S)  H  rfom(D)  —  0, 
then  5(A);  5(T)  FS{^)  e  '■  5(r). 

Lemma  3  (Ground  Type  Substitution)  If 

•  A;  T  l”s  e  :  r, 

•  5  =  [tti  ►—  T\ , . . . ,  o„  *->  rn], 

•  dom(S)  C  rfom(D),  and 

•  FTV(mg(S))  =  0. 
fAen  5(A);  5(T)  l-s  e  ;  5(r). 


These  two  lemmas  are  special  cases  of  type  substitutions.  The  first  one  is  used  to  show  that  the  names 
of  generalized  variables  can  be  rt-renamed  to  avoid  conflicts  with  other  strength  contexts.  The  second  is 
used  to  eliminate  unnecessary  type  variables  from  consideration.  Both  follow  easily  by  structural  induction 
on  the  type  derivation.  See  the  proof  of  Type  Substitution  for  details  of  the  (VARn)  case. 


Lemma  4  (Strengthening)  If 

•  A;  T,  T  l-SiS,  e  :  r, 

•  fTV'( A,  T,  r)  C  dom{ D),  and 

•  dom(r')n  FV(e)  =  0, 
then  A;  T  bv  e  :  r. 


This  lemma  could  easily  be  generalized  to  strengthen  the  location  type  assumptions,  as  well,  hut  t  his  is 
unnecessary. 


Proof:  It  is  proved  by  simple  structural  induction  on  the  type  derivation,  using  (Iround  Type  Substitution 
to  eliminate  any  extra  type  variables  occurring  only  in  the  mediating  types  in  (:  =  n),  (APPn),  and  (LETp). 
For  the  most  difficult  case,  (LETd),  inversion  of  the  derivation  provides  a  Ho  and  r'  such  that. 

A;  r  1-s.So.S'  et  :  T'  A;  ?[x  :  VD„V]  hvv,  c,  :  r 

NonCnl-50(domCE o))  Weakerr(  FTV(t')  n  rfom(D)  —  FTV{  A,  T),  0) 

Without  loss  of  generality,  assume  by  a-renaming  on  values,  that  t  £  dom(V). 

Induction  cannot  be  used  yet,  since  FTV(t')  is  not  necessarily  a  subset  of  dom( D.  So)-  So.  define  5  to  be 
a  ground  type  substitution  on  the  type  variables  in  dom(E')  D  FTV(t').  Then,  (iround  Type  Substitution 
gives 

A;  r  C!  ;  5(r')  A;  T(x  :  5(VDoV)]  r2  :  r 

And  5(VDo.r')  =  VEn-5’(r')  since  the  domains  of  5  and  Do  are  non-intersecting.  Induction  then  applies, 
and  the  conclusion  follows  by  (LETp)  D 


Lemma  5  (Type  Substitution)  If 

•  A;  T  !",£,£,. £«)+<-'  e  '■  r- 

•  5  =  [ort  >—  n . nr„  i—  r„], 
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•  for  all  1  <  i  <  n,  SWeaker^  ■s^+c(FTV(Ti),E[(ai)),  and 

•  Weaker^(FTV(\,  I\  r)  f~l  rfom(E),  0), 

then  there  exists  E'  <i  E  such  that  5(A);  5(T)  H(((v;',e3)+c),So)+c'  e  :  5(r). 

Proof:  This  is  proved  by  structural  induction  on  the  typing  derivation.  The  (LOC’d)  and  (UNITd)  cases 
hold  trivially  with  the  definition  S'  =  S. 

The  (VARd)  case  requires  careful  treatment  of  the  domains  of  substitutions  to  show  that  instanti¬ 
ation  is  stable  under  type  substitution.  Invertion  of  the  type  derivation  states  that  the  instantiation 

h(S,Eo,Si)+C3  r(x)  £  T  ho,ds-  Let 

5  =  [«1  *  Ti ,  .  .  .  ,  Oln  7"n] 

where  a i, . . . , a*  £  BTV(T(x)),  and  where  oik+i,  ■  ■  ■  ,an  £  BTV(T(x)).  By  the  definition  of  the  instantiation 
relation, 

Hi)  =  Vfafc  +  i  •—  Sr  ,  .  .  .  ,  Ojt+m  ►—  SmJ.r' 

where  k  +  m  >  n,  and  there  exists  a  types  r[, . . .  ,r'm  such  that  defining  the  type  substitution 

5i  =  [ojt  +  1  ►—  Tj ,  .  .  .  ,  ot  +  m  1 —  rm] 

implies  5i(r')  =  r.  In  particular,  choose  5i  so  that,  for  1  <  j  <  m,  if  at+j  FTV(r').  then  rj  is  ground, 
so  that  FTV(rng(S))  C  FTV(r).  In  addition,  define  the  following  type  substitutions,  where  a". . . .  ,a”  are 
new: 


•  S'  =  [aq  *—  n,.  ,.,ak  <—  r*] 

•  S2  =  W~S(r{) . a"  -5(4)] 

•  S3  =  [a*+i  ►—  a" . *—  a/t+m] 


Thus,  5(T(x))  =  Vta'/  ►—  si, - a"  ►—  sm].5'(53(r')),  and  52(5'(53( r')))  =  5(5i(r'))  -  S(r).  Now  define 

E'  so  that  for  all  a  £  dom(E')  =  dom( E), 

v,.  ,  f  S(a)  +  min(0, -ci )  if  a  €  FTV(rng(S))  and  E(a)  <  00 
“  Q  ~  \  E(a)  otherwise 

By  the  last  assumption,  and  since  FTV{rng(S))  C  FTV{r),  then  E'  <1  E.  And  since  by  instantiation,  for 
all  1  <  J  <  m,  SITeateqv  Si  S())+Cj(FTV'(rj), sy ),  the  third  assumption  implies  that,  for  all  1  <  j  <  w. 
5ITea^er(((S',s3)+ci  ),z0)+ci(FTV(S(rj)),  Sj ).  Thus,  the  desired  instantiation  holds, 

^«(£\E3)+c,),E„)+ej  5(r(x))  >  S(r) 


and  the  conclusion  holds  by  (VAR). 


The  (!d)  and  (LAMd)  cases  follow  simply  by  induction.  Both  the  (:=d)  and  (APPd)  cases  must  also  use 
Ground  Type  Substitution,  while  in  the  (REFd),  (APPd),  and  (LETd)  cases,  an  appropriate  E'  must  be 
calculated  to  satisfy  the  side  conditions,  as  in  the  (VARd)  case.  For  example,  in  the  (APPd)  case,  inversion 
gives  a  r'  such  that 


A;  T  !-(£,£,, Eoi+cj  +  i  ei  :  r'— r  A;  T  P(S,s,.E„)+ca  e2  :  t' 


Weaker(Z'Sl)+C3(FTVlT'),0) 


To  allow  the  last  assumption  to  hold  inductively,  the  type  variables  occurring  only  in  the  mediating  type  r' 
must  be  removed.  So,  define  a  ground  type  substitution  S'  over  the  type  variables  in  dom(E')  D  FTV(r')  — 
FTV(A,F,r).  By  Ground  Type  Substitution, 


A;  T  t-(£,S,,£o)+ej+l  el 


sVHr 


A;  r  t-(E,E1,Eo)+c3  :  S'(t') 
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Since  H/eaA.,erv(5'(r')  n  dom(S),0),  induction  proves  that  there  exists  S"  <1  S  and  S'"  <1  S  such  that 


5(A);5(r)hU(S» 

,S3)+Oi),Eo)+c2  +  1  el 


S(S'(t')~t) 


5(A);  5(T)  t-(((S'".SaH-c,),S0)+c2  e2 


5(5'(r')) 


and  let  S""  =  min(S",S'").  Now  the  side  condition  of  (APPd)  must  be  satisfied.  To  this  end,  define  S'  so 
that  for  all  a  6  dom(S')  =  dom( S), 


S'(a) 


S""(a)  +  min(0,-ct)  if  a  e  F7V(S'(r'))  and  S""(a)  <  dc 
S""(q)  otherwise 


So  that  by  the  original  side  condition  and  the  third  assumption,  the  new  side  condition  holds; 


•4 


» 


!TeaAer(((S,iSa)+Cl)tSo)+C3(FrV'(5(5'(r'))),0) 


Also,  by  the  original  side  condition  and  the  last  assumption,  S'  <1  S"".  So,  the  conclusion  holds  by  Weak¬ 
ening  and  the  (APPd)  rule.  □ 


Lemma  6  (Value  Substitution)  If 

•  A; .  I— s ,s i  t>  ;  T\ , 

•  A;  :  VSj  .Ti]  e  :  r2,  and 

•  Weaker^(FTV(\,  rj )  n  dom(S),  0), 

then  there  exists  S'  <i  S  such  that  A;  f  ,s2)+^  [v/x]e  ;  r2. 


Proof:  The  proof  is  by  structural  induction  on  the  type  derivation  for  e.  The  (LOCd).  (UNITd).  and 
when  e  ^  x,  (VARp)  cases  follow  from  Strengthening  with  the  definition  S'  =  S.  When  e  =  x.  (hen 
hs.Sji+c  VSi.ri  >  r2  follows  by  inversion.  By  the  definition  of  instantiation,  there  is  a  type  substitution  5 
such  that  5(  T\ )  =  r2,  and  for  all  a'  E  dom(S),  SWeaker(  s  Sj)+,.(  FTV(S(a')).  Si  (o')).  Also.  5(A)  =  A.  The 
conclusion  holds  by  Type  Substitution  and  Strengthening. 

The  (REFd),  (Id)-  and  (LAMp)  cases  holds  by  induction.  The  (:=d)  and  (APPd)  cases  hold  by  induction 
and  Weakening.  In  the  (LETd)  case,  inversion  states  that  there  exists  a  r'  and  So  such  that 

A;  T[x  :  VSi-n]  h, v ,Sj,s0)+c  et  :  r'  A:  T[x  ;  VSi ,rx,y  :  VS0V]  t-(v  S2l+,  e2  ;  r2 

NonCntz0(dom('F,n))  Weaker^,  ^l)+r(  FTV(t’)  n  dom(S,  S2)  -  FTV'(A,r[x  :  VS i  - ^ ] ) ,  0 ) 

By  a-Renaming  Type  Substitution,  we  can  assume  that  the  type  variables  in  S0  do  not  clash  with  those  in 
S).  So,  by  induction,  there  exists  S"  <!  S  and  S'"  <i  S  such  that 


l-(S".s3,E0)+e  b/-r]«t  :  r>  A;T[y  :  VS0.r']  h(S»,  ^)+c  [u/x]e2  :  r2 

Let  S""  =  min(S",S'").  In  order  to  satisfy  the  last  side  condition  of  (LETd),  define  S'  so  that  for  all 
a  E  domCE’)  =  dom( S), 


S'(a) 


min(S""(a),  -c)  if  a  e  FTV{tx  )  and  S""(a)  <  oo 
S  ""(a)  otherwise 


By  the  last  assumption,  S'  <i  S.  and  Weafce7V'+,.(  F'TP(VS|  .r,  ),0).  So, 


Weaker^,  ^)JrC{FTV(T')f\dom( S.S2)  -  FTV{\,  T),  0) 
and  the  conclusion  holds  by  Weakening  and  (LETd)- 


□ 


Theorem  1  (Type  Preservation  Under  Evaluation)  If 
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•  n  h  e  =>  v,  n' , 

•  A;.hj  e  :  r, 

•  bs+c  F  :  A, 

•  c  <  0,  and 

•  Critz+c(FTV(\)), 

then  there  exists  Aq  and  So  such  that 

•  So  +  c  <1  S  +  c 

•  A,  A0;.  hSo  v  :  r, 

•  ^Eo+c  p'  :  A,  A0,  and 

•  Cntx0+c(FTV( A0)) 

Proof:  The  proof  is  by  structural  induction  on  the  evaluation  derivation*  The  constant  c  corresponds 
exactly  with  the  abstraction  depth  of  the  algorithmic  formalisms,  so  the  strength  context  S  +  c  is  that  of 
the  top-level.  Note  that  the  type  judgments  in  the  assumption  and  conclusion  use  strength  contexts  that 
are  not  adjusted  by  c.  Since  the  location  type  assumption  and  strength  context  are  extended  and  weakened 
for  each  sub-derivation,  the  weakening  lemma  is  needed  to  prove  the  assumptions  of  many  induction  cases. 

The  (VAL)  case  holds  with  Ao  =  •  and  Eo  =  S,  since  n'  =  /. t . 

For  the  (ALLOC)  case,  inversion  of  the  first  two  assumptions  gives 

fih-e=>v,n\  pi'  =  n\[l  h-  t>]  A;.f~se:r  Cnt^(FTV(r)) 

So,  induction  provides  a  Ai  and  Eo  such  that 

E0+c<!  S  +  c  A,  Ai;.  hSl)  u  :  r  Hv0+C  :  A.  Ai  Cnt^n+r(  FTV(  A  i ) ) 

Defining  Ao  =  Aj[/  :  r  ref\ ,  then  H v;0+c  //  :  A,  Ao-  And  A,  Ao:.  bs0  /  :  r  re/holds  by  (LOC).  Since  FTV(  Ao)  = 
FTV(\i,r),  the  conclusion  then  holds. 

In  the  (CONT)  case,  inversion  gives 

A;.hv  e  :  r  ref  /i  he  =>  l./i1 

where  u  =  /i'(/)-  Induction  then  proves  that  there  exists  a  Aq  and  Ei  such  that 

Ei+c<iE  +  c  A,  Ao ;  - 1 ~s,  l  ■  r  ref  hSl+c  :  A,  A0  Cnt^l+r(FTV( Ao)) 

So,  A,  Ao(/)  =  r  ref.  Then,  by  the  definition  of  type  matching  and  Strengthening,  A,  Ao; .  !”£,+<.  t.’  :  r.  Define 
Eo  so  that  for  all  a  €  dom( Eo)  =  dom( E), 


v  Ei(o)  +  c  [(a€  FTV(A.Ao) 

^ 0  \  Ei  (a)  otherwise 

Since  Cnt^l+c(FTV( A,Ao)),  then  Eo  +  c<i  E  +  c.  The  type  judgments  of  the  conclusion  then  follow  bv 
Strengthening  and  Weakening,  since  c  <  0. 

The  (UPD),  (APPLY),  and  (BIND)  cases  are  similar,  with  a  pattern  of  induction  followed  by  weakening. 
The  latter  two  also  use  Value  Substitution  to  allow  induction  on  the  result  of  substitution.  Because  of  the 
similarities,  only  the  (APPLY)  case  is  given  here. 
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For  (APPLY),  inversion  gives  a  ro  such  that 


M  I-  e\  =>  fn  x  =>•  e'[ ,  pi  Mi  P  ei  =>  D2,M2  M2  P  [uo/x]ei  =>  u, /i' 

A;.l“s+i  Cl  :  Tn~r  A;.Pe  e2  :  M'Yafcerv(/'TV’(r2),  0) 

Induction  on  the  derivation  involving  e\  shows  that  there  exists  a  Ai  and  Si  such  that  4 

Si  +  1  +  (c  -  1)  <1  S  +  1  +  (c  -  L)  A,  Ai;.  hs,+i  fnx=>  e\  :  t2—t 

i~E,+i+(c— 1)  Mi  •  A,Ai  CVi<s1+i+(c_i)(  FTV(  Ai))  * 

Weakening  proves  A,Ai;.Ps,  e2  :  r2  so  that  induction  applies,  giving  a  Ao  and  So  such  that 

S2  +  c<iSi+c  A,  Ai,  Ao;.  l-s3  vo  :  ro  PsJ+c  /io  :  A,  Ai,  Ao  Cnt^2+c(FTV(\2)) 

Inversion  on  the  function  value,  along  with  Weakening,  proves 

A,  Ai,  A2;  [x  :  t2\  Ps,  e\  :  r  A,  Ai,  A2;.  Ps2  v2  :  r2 

So,  using  the  trivial  generalization  V.  ,r2  =  ro.  Value  Substitution  proves  that  there  exists  S3  <1  S2  such 
that  A,  Ai,  A2;.  Ps3  [vo/xje,  :  r.  Since  c  <  0,  then  S3  +c  <1  S2  4-  c.  and  induction  applies  again,  giving  a 
A3  and  So  such  that 

Eo  +  c<i  S3  +  C  A,  Ai,  Ao,  A3;.  Pso  v  :  t  Ps0+c  m'  :  A,Ai.  A2,  A3  Cn7v0+c(  FTV(  A3)) 

The  conclusion  then  holds  with  Ao  =  Ai,  A2.  A3.  O 
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